WS Security Performance

The WS Secure Conversation specification describes a mechanism letting multiple parties establish a context (using the WS Trust Request Security Token standard) and secure subsequent SOAP exchanges. Each WS Secure Conversation session has an associated shared secret. Instead of using this shared secret directly to sign and encrypt the conversation's messages, symmetric keys are derived from the secret itself. Deriving new keys for each message and different keys for signature and encryption limits the amount of data that an attacker can analyze in attempting to compromise the context.

Derived Key Tokens are tokens in a SOAP Security Header that refer to the derived keys. Using the context's shared secret and hints provided by the Derived Key Token element, the message's recipient derives the key used by the requestor either to verify a signature or decrypt parts of the message.

How Derived Key Tokens are used is best understood by looking at Listing #1, which illustrates a SOAP message signed and encrypted as detailed by the WS Secure Conversation specification. Notice how the element Header/Security/SecurityContextToken refers to the pre-established WS Secure Conversation context. Both parties participating in this message know the shared secret associated with the context. Two Derived Key Tokens are declared in the Security header. Both of those Derived Key Tokens refer to the same Security Context Token but the associated derived keys are different as per the derivation Nonces provided. The element Header/Security/Signature/KeyInfo refers to one of the derived keys and the Body/EncryptedData/KeyInfo refers to the other.

Derived Key Tokens Beyond Secure Conversation Contexts
The Derived Key Token mechanism described in WS Secure Conversation relies on a shared secret. This shared secret doesn't have to be in the form of a WS Secure Conversation context key. It can be as simple as a password (think UsernameToken) or a Kerberos ticket (think Kerberos BinarySecurityTokens). Any form of shared secret that can be mapped to a security token can effectively serve as the basis for deriving keys (although for an implementation to interoperate easily one should stick to the derivations defined by standards). For example, the Web Services Security UsernameToken Profile 1.1 specification describes a mechanism where the password associated with a username is used to derive a secret key to protect the integrity or confidentiality of the message content. This has the advantage of not requiring that the context be pre-established.

Another interesting approach to key derivation that avoids the offline establishment of a context is to derive keys on an EncryptedKeyToken. In this case, the requestor makes up a secret, encrypts it, and sends it to the recipient. This generated secret is shared between the requestor and the recipient and only the recipient can decrypt it. Of course, this shared secret alone can't be used for authentication purposes but derived keys based on such a shared secret can still be useful for encrypting a message and signing it for ensuring integrity. The WS Security 1.1 spec also allows subsequent messages to refer to an encrypted key defined in a previous message. Deriving keys based on this previous secret has the advantage of avoiding the expensive operation associated with deciphering a new encrypted key for each message. Of course, any use of EncryptedKeyTokens requires the initiator to know the X509 cert of the recipient to encrypt the initial key.

WS Security Performance
Messages secured on a pre-established WS Secure Conversation are processed by both parties using symmetrical cryptography only. This contrasts with other mechanisms such as the ones described in the X509 Token Profile specification where XML digital signatures are based on an X509 BinarySecurityToken and where encryption is based on a key that is itself encrypted using the recipient's public key. In that case, both signature and encryption operations require using asymmetrical cryptography.

Your CPU will tell you that cryptography is generally expensive and that asymmetrical cryptography is extremely expensive. So it's reasonable to expect WS Secure Conversation-based WS Security to be processed at faster rate than X509-based WS Security. The question is how significant this performance advantage is in a real-world deployment burdened by other overheads such as XML processing.

Secure Conversation vs. X509 Profile Benchmark
As illustrated in Figure 1, an XML gateway is introduced between a number of WS requestors and a WS server. This XML gateway gets security-decorated SOAP requests coming in from clients, deciphers them, and verifies the digital signature. The XML gateway then forwards the request to the back-end Web Service that returns a SOAP response. This response is then secured by the XML gateway (XML encryption and signature) before it's forwarded back to the original requestor. The response security is achieved using the same mechanism used to secure the request.

CIO, CTO & Developer Resources

The WS Security method used for securing these SOAP messages is dictated by a WS Policy document published by the XML gateway. By altering this policy document we can switch between messages secured using Derived Key Tokens associated with a WS Secure Conversation session versus messages secured using an X509 token profile mechanism. The key derivation algorithm used by the XML gateway is the standard PSHA-1 described in the WS Secure Conversation specification.

In this scenario the number of messages per second the gateway was able to process for each of these WS Security mechanisms was measured. Listings 1 and 2 illustrate sample messages processed by the XML gateway for Derived Key Tokens and X509 respectively. Also measured was the number of requests per time unit processed by this same gateway in a case where messages didn't involved WS Security at all and were exchanged through SSL as well as a benchmark measurement taken with no security policy present al all.

On the requestor side, five systems running Apache benchmark were simultaneously sending pre-formatted SOAP requests to the XML gateway inside an isolated network. The gateway was deployed as a single node. On the back-end, an Apache server returned static unsecured SOAP responses. In these tests, all of the WS Security processing was delegated to the gateway, both the requestors and the back-end service were sending hard-coded SOAP messages; this ensures that we focus the bottleneck and isolate the real throughput of the XML gateway with regards to WS Security processing as much as possible.

Benchmark Results
The numbers shown (see Table 1) are for messages processed per second by the single node XML gateway (note that each request and response is processed as separate messages). As you can see, when processing messages secured using WS Secure Conversation, the XML gateway was able to handle as many as 798 messages per second as compared to 352 messages per second for X509-based signatures and encryption. The anticipated performance gain predicted is very significant; the throughput more than doubles for the single XML gateway node.

To provide context the number of messages the same XML gateway processed when security was based purely on transport mechanisms (in this case SSL) was also measured. In that case, the single node XML gateway processed 2,918 messages a second.

Summary
Using a purely symmetric crypto approach to WS Security as is possible with Derived Key Tokens produces a processing performance advantage over WS Security achieved through the X509 profile that relies on public key crypto. This performance gain has the potential to translate into significant throughput gains in a production environment where WS Security processing is involved in a bottleneck. Derived Key Tokens are also a practical approach to WS Security; they can be used in conjunction with a number of different mechanisms such as Kerberos, passwords, and WS Secure Conversations, and they don't need a public key infrastructure.

However, the mechanisms described in the X509 token profile should by no means be regarded as inferior. The public key aspects of the X509 token profile provide functional advantages over WS Security relying exclusively on Derived Key Tokens.

Indeed, the performance advantage provided by signing and encrypting messages using exclusively symmetrical crypto comes at a price. Because the messages are signed with something based on a shared secret, those signatures can't form the basis of non-repudiation. Both parties knowing the shared secret can produce such signatures. Conversely, when message signatures are based on an X509 token, they prove the possession of a private key to which the recipient doesn't have access; the signing party can't claim that the other party forged his or her signature. Obviously, asymmetrical crypto is just one piece of the complicated non-repudiation puzzle, but an essential one nevertheless.

Another advantage of using X509 mechanisms over session-based security is that digital certificates and their associated private keys typically have a longer lifecycle than security contexts such as WS Secure Conversation sessions or Kerberos tickets. The ephemeral nature of security contexts restricts (if not eliminates) the ability to audit a message offline long after it's been processed. Once a session has expired, and the associated shared secret is forgotten, encryption can no longer be undone and signatures become meaningless. On the other hand, messages including signatures and encrypted elements that refer to X509 certificates can be saved for later auditing; they can be decrypted later, their signatures can be verified.

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth.
Follow Francois on Twitter: @flascelles

Over the past 10 years, Aaron Flint has worked, in increasingly senior positions, to ensure quality of enterprise-level server applications. He joined Layer 7 Technologies to lead the QA department early on and has been helping to build and release a quality SecureSpan product line since then.

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

At its core DevOps is all about collaboration. The lines of communication must be opened and it takes some effort to ensure that they stay that way. It’s easy to pay lip service to trends and talk about implementing new methodologies, but without action, real benefits cannot be realized. Success requires planning, advocates empowered to effect change, and, of course, the right tooling.
To bring about a cultural shift it’s important to share challenges. In simple terms, ensuring that everyone k...

Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...

Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall.
As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...

Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches.
In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...

With the rise of Docker, Kubernetes, and other container technologies, the growth of microservices has skyrocketed among dev teams looking to innovate on a faster release cycle. This has enabled teams to finally realize their DevOps goals to ship and iterate quickly in a continuous delivery model. Why containers are growing in popularity is no surprise — they’re extremely easy to spin up or down, but come with an unforeseen issue.
However, without the right foresight, DevOps and IT teams may lo...

Kubernetes is a new and revolutionary open-sourced system for managing containers across multiple hosts in a cluster. Ansible is a simple IT automation tool for just about any requirement for reproducible environments.
In his session at @DevOpsSummit at 18th Cloud Expo, Patrick Galbraith, a principal engineer at HPE, will discuss how to build a fully functional Kubernetes cluster on a number of virtual machines or bare-metal hosts. Also included will be a brief demonstration of running a Galer...

DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE).
Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...

In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....

"There is a huge interest in Kubernetes. People are now starting to use Kubernetes and implement it," stated Sebastian Scheele, co-founder of Loodse, in this SYS-CON.tv interview at DevOps at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.

Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...

Eggplant, the customer experience optimization specialist, announced the latest enhancements to its Digital Automation Intelligence (DAI) Suite. The new capabilities augment Eggplant’s continuous intelligent automation by making it simple and quick for teams to test the performance and usability of their products as well as basic functionality, delivering a better user experience that drives business outcomes.

Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and cost-effective resources on AWS, coupled with the ability to deliver a minimum set of functionalities that cover the majority of needs – without configuration complexity.

Eggplant, the customer experience optimization specialist, announced the latest enhancements to its Digital Automation Intelligence (DAI) Suite. The new capabilities augment Eggplant’s continuous intelligent automation by making it simple and quick for teams to test the performance and usability of their products as well as basic functionality, delivering a better user experience that drives busin...

At its core DevOps is all about collaboration. The lines of communication must be opened and it takes some effort to ensure that they stay that way. It’s easy to pay lip service to trends and talk about implementing new methodologies, but without action, real benefits cannot be realized. Success requires planning, advocates empowered to effect change, and, of course, the right tooling.
To bring ...

Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and de...

Conor Delanbanque has been involved with building & scaling teams in the DevOps space globally. He is the Head of DevOps Practice at MThree Consulting, a global technology consultancy. Conor founded the Future of DevOps Thought Leaders Debate. He regularly supports and sponsors Meetup groups such as DevOpsNYC and DockerNYC.

As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations.
Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward ma...

At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a ...

The use of containers by developers -- and now increasingly IT operators -- has grown from infatuation to deep and abiding love. But as with any long-term affair, the honeymoon soon leads to needing to live well together ... and maybe even getting some relationship help along the way. And so it goes with container orchestration and automation solutions, which are rapidly emerging as the means to m...

Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall.
As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are sti...

Here to help unpack insights into the new era of using containers to gain ease with multi-cloud deployments are our panelists: Matt Baldwin, Founder and CEO at StackPointCloud, based in Seattle; Nic Jackson, Developer Advocate at HashiCorp, based in San Francisco, and Reynold Harbin, Director of Product Marketing at DigitalOcean, based in New York. The discussion is moderated by Dana Gardner, prin...

Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches.
In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, di...

In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology.
In his session at 20th Cloud Expo, John Jelinek IV, a web developer at Linux Academy, will discuss why major players like AWS, M...

Using serverless computing has a number of obvious benefits over traditional application infrastructure - you pay only for what you use, scale up or down immediately to match supply with demand, and avoid operating any server infrastructure at all.
However, implementing maintainable and scalable applications using serverless computing services like AWS Lambda poses a number of challenges. The a...

Microservices Journal focuses on the business and technology of the software architecture design pattern, in which complex applications are composed of small, independent processes communicating with each other using language-agnostic APIs.

Cloud computing budgets worldwide are reaching into the hundreds of billions of dollars, and no organization can survive long without some sort of cloud migration strategy. Each month brings new announcements, use cases, and success stories.